What could kill NSTIC? A Friendly Threat Assessment In Three Parts - - PowerPoint PPT Presentation
What could kill NSTIC? A Friendly Threat Assessment In Three Parts January 2013 Phil Wolff Strategy Director Personal Data Ecosystem Consortium phil@pde.cc. @evanwolf. Linkedin Download the whitepaper: http://pde.cc/nsticrisks High hopes for
January 2013 Phil Wolff
Strategy Director Personal Data Ecosystem Consortium phil@pde.cc. @evanwolf. Linkedin Download the whitepaper: http://pde.cc/nsticrisks
Can we get to an international digital identity system?
This effort is driven in the United States under a 2004 program initiated by the National Strategy for Trusted Identity in Cyberspace through the National Institute of Standards and Technology (NIST) of the US Department of Commerce.
a user experience that doesn’t work imbalance among the forces that hold an identity ecosystem together.
The two most serious threats to NSTIC’s success:
Identity Ecosystem vision.
Mountain View, California – October 2012 – May 2011.
Took too long. Strung out by process problems. (Alternatives emerged.)
Industry failed to build it. (Capital and management didn’t prioritize.)
NSTIC community became balkanized. NSTIC community lost cohesion; didn’t listen to each other. (Little to no interop.)
The program was co-opted by a Big Brother government. (Not trustworthy internationally and for many purposes.)
Worked, but was not trusted. (Failed Brand).
Was subverted and insecure. (Legitimately Untrusted).
Enterprise didn’t adopt it. (Business case not well made.)
After one failure, supporters abandoned the
(Shallow, brittle commitment; low tolerance for failure.)
The IE was an empty room. No critical mass
and demand. (Anchor tenants didn’t sign on. Institutions didn’t enroll millions of users or pull in industry ecosystems.)
Citizens didn’t want trusted identity. (Poor market fit; lack of perceived benefit
A local failure took down the whole identity ecosystem. (Failures of ecosystem trust, architecture, integration testing, and risk analysis.)
The IdP/RP/Trust identity model was inferior to newer models. (Technology risk.)
The IdP/RP/Trust identity model broke at scale or broke in diverse contexts. (Project design risk.)
Miscommunication within the Identity Ecosystem contributed to its death. (Poor cooperation, weak community, high self-interest, low trust.)
UX was too hard.
Everything went wrong that could go wrong.
Along with user experience, structural instability was the big issue, according to the group…
strong
imbalanced.
Each of these pillars were operating on different tempos.
experiences but slow to socialize each round among public policy and enterprise lawyers, for example.
Motivations were misaligned.
engineered tariffs for data sharing into their terms of service, cutting off public sector and NPOs from their customers.
Core ideas didn’t survive translation.
companies backed out of supporting IE infrastructure because the “Easy ID” brand became a running joke on sitcoms, SNL, and a biting meme on YouTube.
Liability was broken.
technologies and contracts by pushing exposure from those who enabled risk to those who didn’t.
We did a similar exercise 18 months earlier in May 2011 with a similar group.
https://secure.flickr.com/photos/philwolff/5713880402/ cc-by Phil Wolff
Lack of adoption.
Impatience for long learning curve.
Usability failures. (early concern)
Interop failures.
Overscope.
Security problems like phishing and malware drawn by money.
Perversion of principles.
Chicken vs. Egg problems.
Short Attention Span and the Hype Cycle
Regulatory blocks privacy laws antitrust concerns uncertainty about liability
Waiting for Winners
Dystopian Fear
Over-promising by tech communities to policy communities
learning curve.
phishing and malware drawn by money.
the Hype Cycle
including privacy laws, antitrust concerns and uncertainty about liability
policy communities
Small successes Build confidence
Industry marketing, PR, Media/Voice Build public understanding
Community user experience sharing (KM) Accelerate design
Cultivate Engineering Focus Developer relations
Governance driving Interop Testing Interop is a leadership challenge
Clear/Graded Roadmap Short term plans, long term visions
Electronic Authentication Guideline, NIST SP 800-63, and other threat comment Connect to existing NIST processes
Security Council / Antiphishing Working Group Make security an explicit IESG activity
Government Affairs activity Engage US and other governments
OIX Risk Wiki Engage the OIX community
among users, security failures, and regulatory challenges were less prominent or not mentioned.
exclusively to internal ones.
The primary concern: leadership
Arbroath Cliffs Warning Notice CC-BY-NC Alan Parkinson
spending in 2013 as we prepare this paper in December 2012.
budget is passed
President fall over the “cliff.”
Nobody knows if this will directly affect NIST and the NIST staff managing the NSTIC project.
Could the stream of funding for NSTIC innovation grants dry up and will existing projects be halted?
Will NIST’s funding for the Identity Ecosystem’s Secretariat, that coordinates and supports the work of the IE, be sustained or cut?
In a trillion dollar budget, today’s spending
We don’t know how cuts in federal spending will affect the program indirectly Participating organizations change behavior as they
We also don’t know if the largest government agencies that would be among the first implementers of these open, user- centric, trust networks will stay in the game.
Having huge customers as “anchor tenants” provides strong incentives for the private sector to invest and make the identity ecosystem work.
Will spending cuts interfere with project continuity?
Will key personnel stay engaged?
from the Identity Ecosystem Steering Group.
A user experience that doesn’t work Imbalance among the forces that hold an identity ecosystem together.
to-nstic-long-live-nstic/
cid=9a70d9142ec4cc44&id=9A70D9142EC4CC44! 827&sff=1
and research association, promoting the emergence of a user-centric personal data ecosystem where personal control of personal data is good for business and society.
members are in North America, across Europe, Australia and New Zealand
and hold seminars.
Phil Wolff
– phil@pde.cc – @evanwolf – +001.510-444.8234
PDEC, the Personal Data Ecosystem Consortium, is a “small data” NGO representing startups, individuals and others who believe personal control of personal data is good for people, business, and society